diff options
| author | Yannick Bungers | 2020-11-27 09:09:29 +0100 |
|---|---|---|
| committer | GitHub | 2020-11-27 09:09:29 +0100 |
| commit | 8f7e11f780fc5d079121dda21bfe7c397f66d501 (patch) | |
| tree | 79f7f4e70ead063eb25aa01c51b0b6a0343d9539 /lib/web | |
| parent | 66ad73d853d15423c63b823102931b35ef93722a (diff) | |
| parent | 729b387536d2bcf43a20b2ddead4bffdfd342d2a (diff) | |
Merge pull request #595 from joachimmathes/oauth2_authorization
Add oauth2 authorization roles
Diffstat (limited to '')
| -rw-r--r-- | lib/web/auth/oauth2/index.js | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/lib/web/auth/oauth2/index.js b/lib/web/auth/oauth2/index.js index 6e3e8373..b8e62dda 100644 --- a/lib/web/auth/oauth2/index.js +++ b/lib/web/auth/oauth2/index.js @@ -4,6 +4,7 @@ const Router = require('express').Router const passport = require('passport') const { Strategy, InternalOAuthError } = require('passport-oauth2') const config = require('../../../config') +const logger = require('../../../logger') const { passportGeneralCallback } = require('../utils') let oauth2Auth = module.exports = Router() @@ -31,6 +32,7 @@ class OAuth2CustomStrategy extends Strategy { return done(new Error('Failed to parse user profile')) } + checkAuthorization(json, done) let profile = parseProfile(json) profile.provider = 'oauth2' @@ -50,18 +52,36 @@ function extractProfileAttribute (data, path) { } function parseProfile (data) { + const id = extractProfileAttribute(data, config.oauth2.userProfileIdAttr) const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr) const displayName = extractProfileAttribute(data, config.oauth2.userProfileDisplayNameAttr) const email = extractProfileAttribute(data, config.oauth2.userProfileEmailAttr) return { - id: username, + id: id || username, username: username, displayName: displayName, email: email } } +function checkAuthorization (data, done) { + const roles = extractProfileAttribute(data, config.oauth2.rolesClaim) + const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr) + + if (config.oauth2.accessRole) { + if (!roles) { + logger.error('oauth2: "accessRole" configured, but user profile doesn\'t contain roles attribute. Permission denied') + return done('Permission denied', null) + } + + if (!roles.includes(config.oauth2.accessRole)) { + logger.debug(`oauth2: user "${username}" doesn't have the required role. Permission denied`) + return done('Permission denied', null) + } + } +} + OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) { this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) { var json @@ -76,6 +96,7 @@ OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) { return done(new Error('Failed to parse user profile')) } + checkAuthorization(json, done) let profile = parseProfile(json) profile.provider = 'oauth2' |